SecretSifter: Live Credentials & Secrets Scanner

Detects secrets, API keys, and tokens in JS, JSON, XML, and HTML at runtime

SecretSifter is a runtime secrets scanner built for penetration testers, bug bounty hunters, and security engineers. It automatically intercepts and scans network traffic in the active tab — JavaScript files, JSON API responses, XML responses, HTML pages, and WebSocket frames — and flags exposed secrets such as: • API keys, Bearer tokens and JWT secrets • Passwords and credentials in response bodies KEY FEATURES • T1 / T2 / T3 confidence tiers to separate real findings from noise • WebSocket scanning — intercepts both incoming and outgoing WS frames • CDN blocklist — skip known third-party libraries and analytics scripts automatically • Suppressed key names — silence app-specific noise with one click • Full findings report with severity badges (Critical / High / Medium / Low) • Export findings to JSON, CSV, or HTML report • Export scanned URL list (JS, JSON, HTML, XML, requests, WebSocket) • DevTools panel + popup — works however you prefer • Privacy-first — all findings stored locally in your browser; the only external call is an optional Google Maps API key validation probe sent directly to Google DESIGNED FOR SECURITY PROFESSIONALS Scanning is opt-in per tab. No accounts, no telemetry, no developer-controlled servers.